[atomic] Openvas 4.x Updates

Atomic repository announcements, new release notifications and other news regarding the atomic yum repository.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] Openvas 4.x Updates

Unread post by hostingguy »

is openvas-nvt-sync-cron supposed to take a long time?
Its been running for about 20 minutes so far....

Is there also some instructions for CLI usage for scanning and emailing reports for those of us who don't use a GUI or dont want to use a web based manager?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

Yes, its grabbing all the NVT's from upstream. That can take a while, depending on how loaded the servers are.

I havent used omp myself (I use GSA), you'd have to check on the openvas website for more information on that.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] Openvas 4.x Updates

Unread post by hostingguy »

well it was at 2 hours last I checked - its on a server with no cusotmers, no traffic and no load so I expected it to be quite a bit faster starting the scanner.....
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

Yeah but how many people are hitting the openvas update server right now?
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] Openvas 4.x Updates

Unread post by hostingguy »

If i do it manually it takes for ever loading all the plugins

[edit]
I came back this morning and it had started, but I still do see this never working

Code: Select all

# ./openvas-check-setup
openvas-check-setup 2.0.6
  Test completeness and readiness of OpenVAS-4

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 3.2.3.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 21019 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 2.0.3.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db)
        FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running.

 ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

# openvasmd --rebuild
Aborted
# service openvas-scanner status
openvassd (pid  813200) is running...

# service openvas-manager status
-l is stopped

# service openvas-manager start
Starting openvas-manager:
                                                           [  OK  ]

# service openvas-manager status
-l is stopped

So apparently it didnt like that it didnt create the db file, so I created an empty one and now that all is ok

Code: Select all

# touch /var/lib/openvas/mgr/tasks.db
# openvasmd --backup
# openvasmd --rebuild
# service openvas-manager status
-l is stopped

# service openvas-manager start
Starting openvas-manager:
                                                           [  OK  ]

# service openvas-manager status
-l (pid  463527) is running...
Now the setup verification script is complaining about something else

Code: Select all

# ./openvas-check-setup --server
openvas-check-setup 2.0.6
  Test completeness and readiness of OpenVAS-4

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Step 1: Checking OpenVAS Scanner ...
        OK: OpenVAS Scanner is present in version 3.2.3.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 21019 NVTs.
Step 2: Checking OpenVAS Manager ...
        OK: OpenVAS Manager is present in version 2.0.3.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 41.
        OK: OpenVAS Manager expects database at revision 41.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 21019 NVTs.
        OK: xsltproc found.
[b]Step 3: Checking OpenVAS Administrator ...
        ERROR: No OpenVAS Administrator (openvasad) found.
        FIX: Please install OpenVAS Administrator.[/b]

 ERROR: Your OpenVAS-4 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

So it wanted me to install openvas-administrator which didnt auto install with the yum install openvas command previously.

and even though I did this from the start, it now wants me to create a user

Code: Select all

Step 3: Checking OpenVAS Administrator ...
        OK: OpenVAS Administrator is present in version 1.1.1.
        OK: At least one user exists.
        ERROR: No admin user found. You need to create at least one admin user to log in.
        FIX: Create a user using 'openvasad -c 'add_user' -n <name> -r Admin'


# openvasad -c 'add_user' -n ovAdmin -r Admin
Enter password:
ad   main:MESSAGE:465416:2011-04-26 09h22.41 PDT: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:465416:2011-04-26 09h22.41 PDT: User ovAdmin has been successfully created.

it also didnt start the openvas administrator, so I had to start that manually as well.
Now it seems to be "ok" except that it always complains that the GSA is not bound to anything other than the local interface, and says it fixes it, but it says this every time - how can I make that permanent?

Code: Select all

Step 7: Checking if OpenVAS services are up and running ...
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on all interfaces.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        OK: OpenVAS Manager is running and listening on all interfaces.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        OK: OpenVAS Administrator is running and listening on all interfaces.
        OK: OpenVAS Administrator is listening on port 9393, which is the default port.
        [b]WARNING: Greenbone Security Assistant is running and listening only on the local interface. This means that you will not be able to access the Greenbone Security Assistant from the outside using a web browser.
        SUGGEST: Ensure that Greenbone Security Assistant listens on all interfaces.
        OK: Greenbone Security Assistant is listening on port 9392, which is the default port.[/b]
It seems like your OpenVAS-4 installation is OK.

Code: Select all

# netstat -an | grep 939
tcp        0      0 0.0.0.0:9390                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9391                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:9392              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:9393                0.0.0.0:*                   LISTEN
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

The setup check script still needs some work as you see. I'd report that to upstream, since its not even part of the distribution yet. They could definitely use the feedback.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] Openvas 4.x Updates

Unread post by hostingguy »

how do I tell it to bind to the private IP on the box instead of 0.0.0.0/127.0.0.1 so I can access the gui from outside of the local machine?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

it uses the same sysconfig system as other daemons, so you can modify scanner/administrator/gsad/manager from there respective /etc/sysconfig/ files. 0.0.0.0 should be all interfaces though, are there firewall rules blocking it?
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] Openvas 4.x Updates

Unread post by hostingguy »

I dont think so but its possible. It may be an upstream firewall - I'll check.

Is there a way to initiate a scan from the command line and send the results via email instead of using the web gui?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

I don't know about OMP, but you can create scheduled scans through GSA and create events (called "Escalators") around scans & scan targets. That event can be send an email, execute something, SNMP Trap, etc. So if you're trying to create a regularly scheduled test for your environment Id probably start with that.

Also you do not need to run GSA on the same system you scan from. Its basically just a client to openvas-manager. I run mine on my desktop, and then have it set to connect to remote scanners, which will let you view your reports while the scans are running, stop/start/pause, configure false positives & false negatives, etc.
Funboy
Forum User
Forum User
Posts: 54
Joined: Wed Aug 05, 2009 4:33 am

Re: [atomic] Openvas 4.x Updates

Unread post by Funboy »

Attn hostingguy or Scott

RE: can access the gui from outside of the local machine?

Did you ever get this working? I have installed Openvas on a Centos 5 64bit system and would also like to access it from outside, I have punched a hole in my firewall but nothing works using my server IP on port :9392 so just wondered if you ever got it going and could point me in the right direction as to what might need changing, everything my end so far is as per default installation.

Thanks.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Re: [atomic] Openvas 4.x Updates

Unread post by hostingguy »

I only spent another 5 minutes on this so far to confirm it wasnt a upstream firewall issue, but after that got sidetracked on other stuff and havent made it back to this yet unfortunately, so I dont think I will be much help in the short term.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

I didnt have to do anything other than allow that port through the host firewall rules.
xmichielx
Forum User
Forum User
Posts: 42
Joined: Thu Nov 12, 2009 9:01 am

Re: [atomic] Openvas 4.x Updates

Unread post by xmichielx »

Hi,

I am having a similair problem with OpenVAS 4.* and gasd.
When I run the '/usr/local/sbin/openvas-check-setup' script I get:

ERROR: The number of NVTs in the OpenVAS Manager database is too low.
FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'.

ERROR: Your OpenVAS-4 installation is not yet complete!

I did the following to create the openvas-manager db:

touch /var/lib/openvas/mgr/tasks.db
openvasmd --backup
openvasmd --rebuild
service openvas-manager status
-l is stopped
service openvas-manager start
Starting openvas-manager:
[ OK ]
service openvas-manager status
-l is stopped

Then I check the database:
sqlite3 tasks.db "select count(*) from nvts;"
0

So it seems the NVT's are being uploaded in the database.
I can run the cron script fine and when I run openvas-nvt-sync --wget manually it gets all files.
user is created, new cert has been made.

Distro: CentOS 5.6 64 bit

What can be wrong with putting the NVT in the task.db file?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: [atomic] Openvas 4.x Updates

Unread post by scott »

Ok looks like that is a bug in openvas-manager, its not letting it create the tasks db. Go ahead and upgrade to 2.0.3-3, delete that tasks.db and try running rebuild again.

For new users, just skip all the above and use the documented method:
1. yum install openvas
2. openvas-nvt-sync-cron
3. openvas-adduser
Post Reply